NewPoSThings Point-Of-Sale Malware with a New Version

A new variant of the NewPoSThings malware known for targeting payment processing systems has been released in the wild. This time the threat is directed at 64-bit machines with high version numbers.

Research shows that the most recently detected samples of PoS malware version 3.0 have been compiled at the end of January this year; earlier versions – in December 2014.

Arbor Networks reported the NewPoSThings malware in September last year. Further analysis showed that the threat has been actively developed since at least October 2013.

PoS Malware Poses as Java Updater

Previous versions of the malware used to run a check of the system architecture and in case a 64-bit machine was detected, it exited the machine. In such cases, the threat informed the hackers why the infection failed. Experts believe that at the time.

Once installed, the malware performed the following tasks:

Replaced the JavaUpdate.exe process

Added itself as a startup item in the registry. The name, the threat used was “Java Update Manager.”

Reportedly, the new version of NewPoSThings searches for passwords for remote admin software (WinVNC, RealVNC, TightVNC). This information has been confirmed by analysts at both Arbor Network and Trend Micro.

Next thing it does is to start the memory scraping activity in order to find payment card information processed by the PoS device. Researchers have also detected keylogging activity.

The New Features of the NewPoSThings Malware

According to Trend Micro’s Jay Yaneza, if the affected machine is connected to the Internet, the keylogger communicates with the C&C server every five minutes. The transfer thread verifies if the data is prepared for the exfiltration process every ten minutes.

The path to the file that contains the configuration for disabling security alerts for specific extensions on Windows is completely hidden in the 3.0 version.

Other new functionalities include:

Compatibility with Windows 7 computers

Adds certain measures to avoid analysis

Uses a custom packer

Yaneza reports that version 2.x samples come with a backdoor equipped with keylogging functionality and can start/stop the VNC session. The same goes for the web camera, in case one is present.

The backdoor also scans the processes running on the compromised machine and sends a report to the C&C server.

Yaneza adds that while inspecting the new NewPoSThings PoS malware version, he spotted the threat trying to connect to the command and control server from IP addresses of two airports in the US.